A new report on financial cybercrime has found that while financial institutions have embraced social media to engage customers, grow their business and promote offers and services, scammers are also flocking to the platforms to target potential victims.

The “External Social And Digital Threats To Financial Institutions” report from security firm ZeroFOX Inc. looked at the growing trend among cybercriminals to use social media platforms to broaden their access to potential victims. The reason is the low cost and technical barriers involved in creating attack vectors for targeting marks and scamming them.

The number of financial scams is rapidly growing, the report said, from about 250,000 attempts in 2016 to 437,165 posted by 18,175 unique scammers so far this year.

Not all scams are successful, but the report estimated that if they were, potential profits could be in excess of $180 million. In a study of 46 self-reported posts on social media, news stories and digitally interviewed scam victims, a total of $19,050 in losses occurred, averaging about $414 per incident. Scammers are said to target victims using social media sites in three ways: spray-and-pray, land-and-expand and social engineering, using four different types of attacks: scams, spear phishing, malware distribution and account takeovers.

The spray-and-pray process, identified as the most common form of attack, involves a scammer casting the net as wide as possible before isolating particular victims. Land-and-expand involves an attacker targeting specific organizations or users and subsequently seeks to expand to others with similar demographics and penetrable social circles, while social engineering involves the attacker tricking a victim into performing some form of an action ranging from a simple clickthrough to sending money or disclosing sensitive information.

“Social media is a formidable attack surface due to its sheer size and breadth,” the report noted. “With ever-increasing volumes of data being poured into these different networks, detecting threats is a matter of identifying the signal in a vast, dynamic dataset.”

That’s a huge challenge, the report noted: “Billions of new pieces of content are created every day, most internet users are actively engaged with the social platforms, and the average person will spend over five years during their lifetimes surfing on social media. Social media’s high traffic, massive scale, and widespread usage has made it impossible for humans alone to navigate through this information to identify threat indicators.”

Images: Pixabay/ ZeroFOX